Port profiles allow you to configure network and security features under a single profile which can be applied to multiple interfaces. Once you define a port profile, you can inherit that profile and any setting defined on one or more interfaces. You can define multiple profiles—all assigned to different interfaces.
As part of this design, two configuration examples follow. You can see two port profiles (vm180 and erspan) have been defined. Port profile vm180 has been assigned to virtual Ethernet ports 9 and 10. And port profile erspan has been assigned to virtual Ethernet port 8.
Note The ip flow monitor command is in reference to Encapsulated Remote Switched Port Analyzer (ERSPAN) and will be discussed in the next section.
port-profile vm180
vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor ESE-flow input ip flow monitor ESE-flow output no shutdown
state enabled
interface Vethernet9
inherit port-profile vm180
interface Vethernet10 inherit port-profile vm180
port-profile erspan capability l3control vmware port-group
switchport access vlan 3000 no shutdown
system vlan 3000 state enabled
interface Vethernet8 mtu 9216
inherit port-profile erspan
Once the port profile is configured on the Cisco Nexus 1000V, it can be applied to a specific virtual machine as a port group in the VMware Virtual Center. Figure 4-17 shows that port profiles pg180 and erspan are available as port groups in the Virtual Center.
Figure 4-17 VMware Virtual Center Port Group
There are multiple security benefits of this feature. First, network security policies are still defined by the network and security administrators and are applied to the virtual switch in the same way that they are on the physical access switches today. Second, once the features are defined in a port profile and assigned to an interface the server administrator need only pick the available port group and assign it to the virtual machine. This alleviates the changes of misconfiguration and overlapping or non-compliant security policies being applied.
Visibility
Server virtualization brings new challenges for visibility into what is occurring at the virtual network level. Traffic flows can now occur within the server between virtual machines without needing to traverse a physical access switch. If a virtual machine is infected or compromised it might be more difficult for administrators to spot without the traffic forwarding through security appliances.
Encapsulated Remote Switched Port Analyzer (ERSPAN) is a very useful tool for gaining visibility into network traffic flows. This feature is supported on the Cisco Nexus 1000V. ERSPAN can be enabled on the Cisco Nexus 1000V and traffic flows can be exported from the server to external devices. See Figure 4-18.
Figure 4-18 Cisco Nexus 1000V and ERSPAN IDS and NAM at Services Switch
In this design, ERSPAN forwards copies of the virtual machine traffic to the Cisco IPS appliance and the Cisco Network Analysis Module (NAM). Both the Cisco IPS and Cisco NAM are located at the service layer in the service switch. A new virtual sensor (VS1) has been created on the existing Cisco IPS appliances to only provide monitoring for the ERSPAN session from the server. Up to four virtual sensors can be configured on a single Cisco IPS and they can be configured in either intrusion prevention system (IPS) or instruction detection system (IDS) mode. In this case the new virtual sensor VS1 has been set to IDS or monitor mode. It receives a copy of the virtual machine traffic over the ERSPAN session from the Cisco Nexus 1000V.
Two ERSPAN sessions have been created on the Cisco Nexus 1000V. Session 1 has a destination of the Cisco NAM and session 2 has a destination of the Cisco IPS appliance. Each session terminates on the 6500 service switch. The ERSPAN configuration on the Cisco Nexus 1000V is shown in the following example.
port-profile erspan capability l3control vmware port-group
switchport access vlan 3000 no shutdown
system vlan 3000 state enabled
!
monitor session 1 type erspan-source description - to SS1 NAM via VLAN 3000 source interface Vethernet8 both
N7k1-VDC2 N7k2-VDC2N7k2-VDC2
destination ip 10.8.33.4
monitor session 2 type erspan-source description - to SS1 IDS1 via VLAN 3000 source interface Vethernet8 both destination ip 10.8.33.4
erspan-id 2
The corresponding ERSPAN configuration on the Cisco Catalyst 6500 services switch is shown in the following configuration.
monitor session 1 type erspan-source
description N1k ERSPAN - dcesx4n1 session 1 source vlan 3000
destination erspan-id 1
ip address 10.8.33.4
!
monitor session 3 type erspan-destination description N1k ERSPAN to NAM
destination analysis-module 9 data-port 2 source
erspan-id 1
ip address 10.8.33.4
monitor session 2 type erspan-source
description N1k ERSPAN - dcesx4n1 session 2 source vlan 3000
destination erspan-id 2
ip address 10.8.33.4
!
monitor session 4 type erspan-destination description N1k ERSPAN to IDS1
destination interface Gi3/26 source
erspan-id 2
ip address 10.8.33.4
Using a different ERSPAN-id for each session provides isolation. A maximum number of 66 source and destination ERSPAN sessions can be configured per switch. ERSPAN can have an effect on overall system performance depending on the number of ports sending data and the amount of traffic being generated. It is always a good recommendation to monitor the system performance when you enable ERSPAN to verify the overall effects on the system.
Note You must permit protocol type header “0x88BE” for ERSPAN Generic Routing Encapsulation (GRE) connections.
Isolation
Server-to-server filtering can be performed using ACLs on the Cisco Nexus 1000V. In the configuration example that follows, we use an IP ACL to block communication between two virtual machines. In this example, there are two virtual machines (10.8.180.230 and 10.8.180.234) on the same physical server.
In order to block communication from VM 10.8.180.230 to VM 10.8.180.234, an ACL is used on the Cisco Nexus 1000V. Because the server-to-server traffic never leaves the physical server, the ACL provides an excellent method for segmenting this traffic.
Prior to defining and applying the ACL, the 10.8.180.230 virtual machine is allowed to communicate directly to the 10.8.180.234 virtual machine through a variety of methods. By default, ping, Telnet, and FTP traffic types are all allowed. Figure 4-19 shows the general traffic flow between the virtual machines, while the command output listing that follows illustrate traffic activity.
Figure 4-19 VM-to-VM Traffic
C:\Documents and Settings\Administrator> ping 10.8.180.234
Pinging 10.8.180.234 with 32 bytes of data:
Reply from 10.8.180.234: bytes=32 time<1ms TTL=128 Reply from 10.8.180.234: bytes=32 time<1ms TTL=128 Reply from 10.8.180.234: bytes=32 time<1ms TTL=128 Reply from 10.8.180.234: bytes=32 time<1ms TTL=128
Ping statistics for 10.8.180.234:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator> ftp 10.8.180.234
C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator> ftp 10.8.180.234 Connected to 10.8.180.234.
220 Microsoft FTP Service User (10.8.180.234:(none)):
Po2
VM 10.8.180.230
VM
10.8.180.234 226572
C:\Documents and Settings\Administrator> telnet 10.8.180.234 80
GET HTTP://10.8.180.234
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<title ID=titletext>Under Construction</title>
</head>
<body bgcolor=white>
<table>
<tr>
<td ID=tableProps width=70 valign=top align=center>
<img ID=pagerrorImg src="pagerror.gif" width=36 height=48>
<td ID=tablePropsWidth width=400>
<h1 ID=errortype style="font:14pt/16pt verdana; color:#4e4e4e">
<P ID=Comment1><!--Problem--><P ID="errorText">Under Construction</h1>
<P ID=Comment2><!--Probable causes:<--><P ID="errordesc"><font style="font:9pt/1 2pt verdana; color:black">
The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured.
<P ID=term1>Please try this site again later. If you still experience the proble m, try contacting the Web site administrator.
<hr size=1 color="blue">
<P ID=message1>If you are the Web site administrator and feel you have received this message in error, please see "Enabling and Disabling Dynamic Content&q uot; in IIS Help.
…</html>
Note The preceding Telnet example opens a Telnet connection to port 80—the web server port on 10.8.180.234. A simple GET command provides a brief amount of reconnaissance information.
There are two options for adding an access list to the virtual Ethernet interfaces to block communication.
The ACL can be defined and the access group can be applied to a port profile. All interfaces configured for the port profile will inherit the access-group setting. If you have specific ACLs you wish to configure on an interface you can apply the access group directly to the virtual Ethernet interface in addition to the port profile. The port profile will still apply but the access group will only be applied to the specific interface instead of all interfaces that have inherited the particular port profile.
In this example, an ACL is created and applied to virtual Ethernet 13. The 10.8.180.230 virtual machine resides on virtual Ethernet 8 and the 10.8.180.234 virtual machine resides on virtual Ethernet 13. Access groups on the Cisco Nexus 1000V must be applied inbound. To block traffic from .230 to .234 we will create an ACL and apply it inbound on virtual Ethernet 13. See Figure 4-20 and the configuration listing that follows.
Figure 4-20 VM-to-VM Traffic Blocked by Port ACL on Cisco Nexus 1000
dcvsm(config)# ip access-list s-to-s
dcvsm(config-acl)# deny ip host 10.8.180.230 host 10.8.180.234 dcvsm(config-acl)# permit ip any any
dcvsm(config-if)# int vethernet 13
dcvsm(config-if)# ip port access-group s-to-s in dcvsm(config-if)# exit
interface Vethernet8
ip port access-group s-to-s in inherit port-profile vm180
We can now retest to verify that traffic is blocked from 10.8.180.230 to 10.8.180.234.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator> ping 10.8.180.234
Pinging 10.8.180.234 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.8.180.234:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Documents and Settings\Administrator> telnet 10.8.180.234 80
Connecting To 10.8.180.234...Could not open connection to the host, on port 80:
Connect failed
C:\Documents and Settings\Administrator> ftp 10.8.180.234
> ftp: connect :Connection timed out ftp>
Po2
VM 10.8.180.230
VM
10.8.180.234 226573 Vethernet 13
Ip port access-group s-to-s in
The Nexus 1000V virtual switch establishes traditional security features for the virtual server environment.. Additional security features available on the Cisco Nexus 1000V include the following:
• Private VLANs • Port security
• Cisco Catalyst integrated security features for anti-spoofing